From 6c0f16ffbf7b39da24ded73e17fd2fc0ea4e1a75 Mon Sep 17 00:00:00 2001
From: "mkanat%bugzilla.org" <>
Date: Fri, 22 Sep 2006 06:19:03 +0000
Subject: Bug 351994: Messages shouldn't contain HTML characters unless we're
 in USAGE_MODE_BROWSER Patch By Max Kanat-Alexander <mkanat@bugzilla.org>
 r=ghendricks, a=myk

---
 Bugzilla/Template.pm | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'Bugzilla')

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index b54c4a0f2..7149828ef 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -760,6 +760,22 @@ sub create {
                      1
                      ],
 
+            # Note that using this filter is even more dangerous than
+            # using "none," and you should only use it when you're SURE
+            # the output won't be displayed directly to a web browser.
+            txt => sub {
+                my ($var) = @_;
+                # Trivial HTML tag remover
+                $var =~ s/<[^>]*>//g;
+                # And this basically reverses the html filter.
+                $var =~ s/\&#64;/@/g;
+                $var =~ s/\&lt;/</g;
+                $var =~ s/\&gt;/>/g;
+                $var =~ s/\&quot;/\"/g;
+                $var =~ s/\&amp;/\&/g;
+                return $var;
+            },
+
             # Wrap a displayed comment to the appropriate length
             wrap_comment => \&Bugzilla::Util::wrap_comment,
 
-- 
cgit v1.2.3-24-g4f1b